Is 'Enable OWA reverse proxy' required for activesync to function? Is there any way to perform activesync reverse proxy without OWA reverse proxy or deny access to sync.domain.com/owa? Is it possible to develop this option for security reasons if activesync is only required?

If enabling OWA is required for now what are the best methods to secure OWA from attacks?

In testing Exchange 2010 sp3 by default it does NOT appear to lockout/ban usernames or ips for OWA or activesync after several security audit failures: account failed to logon.

I found a free .Net application named "Cyberarms Intrusion Detection and Defence System" that in realtime reviews event logs and can be configured to automatically after x number of failed logins to deny ip connection for x amount of time.
Using a reverse proxy on pfsense makes using a windows host IDS a bad solution because the windows CAS server logs and the Cyberarms application running on CAS server see the ip of the pfsense gateway as the threat network address attempting authentication, not the wan ip address of the hacker that is in the pfsense logs:cyberarms.nethttps://www.youtube.com/watch?v=OaUqCZv7DmI

pfsense has pfBlocker enabled and ACL ip whitelists will be setup. What else should be setup on pfsense to secure OWA from attacks and brute force?